This virus hit companies worldwide on Thursday, September 9th, 2010. Some of the companies compromised include NASA, P&G, Bank of America, Florida DOT, and Disney. The virus compromises Windows firewall as well as all of the major antivirus software. Afterward, it rummages through your contacts in various popular email/chat programs and forwards itself to all of your friends and family.
This virus includes several common tricks/bypasses to fool the victim. For example,
The link in the original email displays
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
However, the link actually directs you
http://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr
note: The website has already been shutdown so you don’t have to worry
If a victim clicks on the link and executes the malware, then his computer becomes infected. The .scr file replicates itself and becomes csrss.exe. This file also happens to be a critical Windows file usually located in C:\Windows\System32. However, the virus puts itself in C:\Windows because it wants to masquerades itself as closely as possible to the genuine windows file without actually replacing it. The interesting piece: The executable displays a PDF icon even though it has a .exe extension. Talk about custom icons!
The virus also litters the C: driver with a dozen different files, most of them empty. It also creates an autorun.inf that attempts to reinfect the computer should a virus sweep (incomplete) occur. The virus also replicates itself on all of your shared drives/removable media so that when such drives are accessed, the accessor also becomes infected. Furthermore, the virus attaches itself as a debugger to all of the critical system processes. This means that the virus runs whenever those critical system processes are started.
Most people are still in the dark as regards to what the virus’s purpose is. Sure, it will try to spread itself. But what is it trying to get? Bank accounts? Username/Pass? emails? It opens ports such as 137, 138, 139,445 in windows firewall (after it tries to disable it) but no connections were seen coming in (yet). The virus also tries to call home by trying to connect to all of the hosts within 213.131.252.***:80 block, which seems to be hosted in Germany. Because of security policies, none of the connections succeeded so the purpose of the connection could not be ascertained. Microsoft, McAfee, and Symantec all have put out alerts and technical documentations on this virus but no one has uncovered a malicious purpose yet. I am very hesitant to believe that the virus writer went through all the trouble of disabling major anti-virus software just to spread the email around. The only damage so far is company downtime and reimaging computers. Perhaps the virus writer just wanted to target one specific company but the virus spread too far? Or was this a trial run to test companies’ security defenses? Maybe there’s a stage two happening soon. Perhaps its so sneaky that stage two is happening right now undetected.
Pingback: Alexander7